Microsoft 365 E3 vs E5: Decision Framework for Architects

"Just put everyone on E5." I hear this recommendation constantly, and it is almost always wrong. E5 is an excellent product but recommending it for every user in an organisation without analysing what those users actually need is the licensing equivalent of buying a four-bedroom house for someone who lives alone because "they might want the space."

To be clear: this is not a post telling you to downgrade from E5 to E3. If you are using E5's advanced security, compliance, and voice capabilities, E5 is worth every penny. The problem I see repeatedly is organisations that bought E5 with the intention of enabling all those features, never did, and now complain about how expensive it is. If you know you are not using Defender for Endpoint's threat hunting, or Purview's Insider Risk Management, or PIM, and you do not have a defined, scheduled project to deliver them, why are you still paying for them?

That question requires actual analysis, not a feature comparison table. This post provides the framework for that analysis. We will walk through the feature differences that actually matter, build a TCO model that accounts for targeted add-ons, establish the breakpoints where E5 becomes cost-effective, and give you the PowerShell scripts to audit your own tenant. If you have not already run a licence audit, start with The M365 Licensing Audit Nobody Wants to Do. That post identifies waste in your current assignments. This post tells you what to do about it.

Prerequisites: All scripts use the Microsoft Graph PowerShell SDK v2.x and require PowerShell 7+. For foundational Graph API patterns, see Microsoft Graph API for Architects.

Why "E5 for Everyone" Persists

The default recommendation persists for three reasons, none of which are good:

1. It is easier to manage. One SKU, one group, no edge cases. This is a valid operational argument for very small organisations (under 50 users) where the licensing premium is negligible. For a 1,000-user tenant, the maximum E5 premium over E3 is £199,200 per year. Even after adding targeted supplements, the real-world saving from mixed licensing is typically £20,000-£80,000 annually at that scale. That is not a rounding error.

2. Microsoft's sales motion incentivises it. The E5 upsell is one of Microsoft's highest-margin motions. Resellers and Microsoft account teams are measured on E5 adoption and the comparison table on Microsoft's website is designed to make E3 look incomplete; it is not. E3 is a fully functional enterprise productivity and security platform. With Microsoft's announcement of the E7 tier, this dynamic is only going to intensify, and if organisations cannot articulate the value they are getting from E5 today, the E7 conversation is going to be even more painful.

3. Nobody has done the analysis. This is the real reason. The feature-by-feature comparison between E3, E5, and the various add-on combinations is genuinely complex. Most organisations do not have someone whose job it is to optimise M365 licensing, so the default wins.

Let's fix the third one.

The Features That Actually Drive the Decision

Not every E5 feature matters equally. In practice, the decision comes down to four areas: identity security, endpoint security, compliance, and voice. Everything else (Power BI Pro, Viva Insights, advanced analytics) is useful but rarely the factor that tips the balance.

Identity: Entra ID P1 vs. P2

E3 includes Entra ID P1. That gives you Conditional Access, self-service password reset, and hybrid identity. For most organisations, P1 is sufficient for day-to-day access control.

E5 adds Entra ID P2, which unlocks three capabilities that matter:

Access Reviews deserves a special mention. I have not visited an organisation recently that knows what this feature is, let alone understands the power of Access Packages (self-service access request and approval workflows with automatic expiry). For a feature that is straightforward to deliver and integrates naturally into BAU processes like joiner/mover/leaver, it is baffling that this is not one of the first P2 capabilities teams enable. If you are paying for P2 or E5 and have not set up Access Reviews, you are leaving one of the easiest governance wins on the table.

The licensing nuance here is important, and often misunderstood:

• PIM requires P2 only on users who activate privileged roles. If you have 20 admins, that is 20 P2 licences.
• Identity Protection requires P2 on every user subject to risk-based Conditional Access enforcement. The risk engine will evaluate sign-in risk for unlicensed users and surface detections in the portal, but Microsoft's licensing terms require each user in scope for risk-based CA policies to hold P2. If you want org-wide risk-based CA, all users need P2.
• Access Reviews requires P2 on users whose access is being reviewed, plus the admin configuring the review.

The implication: PIM is cheap to deploy selectively (20 admins x £7.20 = £144/month). Identity Protection with org-wide scope is not selective at all, and at £7.20/user/month across 1,000 users (£7,200/month) it starts to shift the E5 calculus. This is why the breakpoint formula matters: once you add Entra P2 org-wide to the add-on stack, you are already a significant fraction of the way to E5's premium.

Endpoint Security: Defender for Endpoint

This is where the biggest misunderstanding lives. E3 does not include Defender for Endpoint. The "Defender" in Windows is the built-in antivirus engine, a Windows OS feature. The cloud EDR service (device inventory, threat hunting, advanced analytics, 6-month timeline) is a separate product.

If your security requirements include EDR (and they should, for any organisation taking endpoint security seriously), you need either E5 or the standalone MDE Plan 2 add-on. The question is whether you need it for every device or just managed corporate endpoints. Field workers on shared devices, kiosk users, and meeting room accounts typically do not need full EDR coverage.

Compliance: Purview

Purview licensing is the most complex area in all of M365. The headline features in E5 Compliance are:

• Advanced DLP (endpoint DLP, exact data match, trainable classifiers)
• Insider Risk Management
• eDiscovery Premium (intelligent review, custodian management)
• Audit Premium (1-year log retention, API access)
• Communication Compliance
• Auto-labelling (service-side sensitivity label application)

The licensing rule that catches everyone: for Insider Risk Management, Communication Compliance, and advanced DLP, the target user must hold the licence. An org-wide Insider Risk policy only covers E5-licensed users. If you license 50 compliance officers with E5 and leave 950 users on E3, your Insider Risk coverage has a 950-user blind spot.

This is the one area where "E5 for everyone" can be the correct answer, but only if your compliance requirements genuinely mandate org-wide coverage for these specific features. The following table summarises when E5 Compliance is likely required:

For sensitivity labels specifically, the distinction is different: the admin deploying the policy needs the licence, but users in scope for a label policy do not require E5. Manual classification works on E3. Service-side auto-labelling (applying labels to data at rest in SharePoint and Exchange) requires E5 Compliance. Client-side automatic labelling in M365 Apps is available at E3 with basic sensitive information type matching.

Voice: Teams Phone

E5 includes Teams Phone System and Audio Conferencing. E3 does not.

Teams Phone standalone: ~£7.40/user/month. Audio Conferencing standalone: ~£2.00/user/month. Note that Teams Phone provides the PBX capability, but PSTN connectivity requires a separate Calling Plan, Direct Routing via SBC, or Operator Connect on top of it.

In most organisations, 40-60% of users need PSTN calling capability. The rest communicate via Teams chat, meetings (no dial-in needed), and email. Deploying voice add-ons to the users who need them rather than upgrading the entire organisation to E5 for the phone system is almost always the right call.

Even at 100% voice coverage, the standalone phone cost (£7.40/user/month) is less than half the E5 premium (£16.60/user/month). Voice alone never justifies E5.

E3 vs E5 TCO Calculation

Here is the actual maths. All prices are Microsoft list prices in GBP (annual commitment). Your EA or CSP rates will differ, but the ratios stay approximately the same.

Base prices:

• M365 E3: £28.40/user/month
• M365 E5: £45.00/user/month
• E5 premium over E3: £16.60/user/month

Common standalone add-ons:

The Breakpoint Formula

E5 becomes cost-neutral when the sum of add-ons a user needs exceeds the E5 premium:

If (sum of required add-on costs) > £16.60/user/month → E5 is cheaper
If (sum of required add-on costs) < £16.60/user/month → E3 + add-ons is cheaper

Some worked examples for a single user:

The practical rule: E5 makes financial sense when a user needs three or more E5-exclusive feature areas. If they need one or two, targeted add-ons win. If the required features vary by user group, mixed licensing wins.

Cost Model: 1,000-User Example

For a 1,000-user organisation where:

• 200 users (security, IT, compliance) genuinely need 3+ E5 feature areas
• 350 users need Teams Phone
• 150 users need Power BI Pro
• All users need Entra P2 + MDE P2 (baseline security)

Scenario A: All E5

• 1,000 x £45.00 = £45,000/month (£540,000/year)

Scenario B: Optimised mix

• 200 x £45.00 (E5 for power users) = £9,000
• 800 x £28.40 (E3 base) = £22,720
• 800 x £7.20 (Entra P2 for E3 users) = £5,760
• 800 x £4.50 (MDE P2 for E3 users) = £3,600
• 150 x £7.40 (Teams Phone for E3 users who need voice, excluding 200 E5 users) = £1,110
• 150 x £7.50 (Power BI Pro for E3 users) = £1,125
• Total: £43,315/month (£519,780/year)

Annual saving: £20,220

That is a conservative estimate. It assumes all E3 users still get Entra P2 and MDE P2 org-wide. If your security posture allows you to scope MDE P2 to managed corporate endpoints only (excluding BYOD, shared devices), the saving increases significantly.

Pricing disclaimer: These are Microsoft list prices as of early 2026. Microsoft has announced price increases effective July 2026 (E3 rising to ~$39, E5 to ~$60), so validate against your current agreement. CSP and EA agreements typically offer 15-20% below list. The E3-to-E5 ratio remains approximately the same regardless of discount level. If your agreement renews in late 2026, consider locking in current pricing before the increase takes effect.

Licensing Anti-Patterns to Fix First

Before optimising your E3/E5 mix, clean up the waste that exists regardless of SKU choice. These patterns exist in every tenant I assess.

E5 on Service Accounts

Service accounts, room mailboxes, equipment mailboxes, and shared mailboxes do not need E5. In most cases, they need no user licence at all. Shared mailboxes under 50GB, room mailboxes, and equipment mailboxes require no user licence (unless litigation hold, an active retention policy, or an archive mailbox is in use). Automation service accounts using application permissions with certificate authentication similarly need no user licence.

Where this goes wrong: a shared mailbox grows above 50GB and gets an E5 assigned because "that's what we use." The correct remediation is Exchange Online Plan 2 (~£5.50/user/month) for the archive and retention capability.

If your organisation relies heavily on service mailboxes for automated outbound communication (order confirmations, notifications, alerts), consider whether those mailboxes need to be Exchange mailboxes at all. Azure Communication Services (ACS) can handle email at £0.003 per message, scales to two million messages per hour, and supports SMS (two-way), WhatsApp (two-way), and video alongside email. The infrastructure cost averages around £500/month. For organisations sending high volumes of transactional or notification email through licensed service accounts, ACS is almost certainly cheaper and gives you far better integration options through its REST APIs and SDKs than SMTP relay through Exchange ever will.

Blanket E5 by Department

"Finance gets E5 for compliance reasons" is a reasonable starting premise. Deploying E5 to every member of a 500-person finance department without checking whether all 500 need Purview features (vs. 50 compliance officers who do) is where the anti-pattern lives. The Purview user-scoping requirement means you could architect a solution where 50 users have E5 for compliance coverage and the other 450 remain on E3.

Duplicate Entitlements

Organisations that migrated from Office 365 E3 + EMS E5 to the unified M365 E5 sometimes carry both subscriptions, paying for overlapping capabilities. Similarly, standalone Defender for Endpoint P2 add-ons that predate an E5 rollout create duplicate entitlements. The licensing audit post covers how to detect these with Graph API.

The Decision Matrix

With your anti-patterns cleaned up, use this decision tree to determine the right E3/E5 mix:

Step 1: What are your compliance obligations?

• NIST 800-171/CMMC, FCA/PRA regulated, or processing controlled data → E5 Compliance features are likely required org-wide. Evaluate whether Purview standalone add-ons can satisfy the requirement at lower cost.
• ISO 27001, Cyber Essentials Plus, SOC 2 → E3 with targeted add-ons is typically sufficient. CES+ specifically does not require E5.

Step 2: What is your endpoint security requirement?

• Full EDR with threat hunting and 6-month timeline → MDE P2 needed. Determine scope: all endpoints or managed corporate only.
• Basic antivirus and device compliance → E3 Intune + Windows Defender is sufficient.

Step 3: Who needs identity security?

• PIM for admin roles → Entra P2 for those users only. This is rarely more than 5-15% of users.
• Risk-based Conditional Access via Identity Protection → Entra P2 required for every user in scope for the risk-based CA policy. If you need org-wide coverage, all users need P2.

Step 4: Who needs voice?

• Count actual PSTN calling users. Apply Teams Phone add-on to that group only.

Step 5: Run the maths.

• For each user group, sum the required add-ons. If any group exceeds £16.60/user/month in add-ons, that group should be on E5. Everyone else stays on E3 with targeted add-ons.

Implementing Mixed Licensing with Group-Based Licensing

Group-based licensing (GBL) is the correct implementation pattern for any mixed E3/E5 environment. Direct licence assignment at scale is ungovernable. If you are currently assigning licences directly, the licensing audit post covers how to identify direct-assigned users with Graph API and why the migration to GBL is a prerequisite for sustainable cost governance.

Dynamic group membership rules require Entra ID P1 or P2, which E3 already includes.

Recommended Group Structure

The LIC- prefix is a naming convention to distinguish licensing groups from access and policy groups in Entra ID.

Entra ID Security Groups:
├── LIC-M365-E3-Base          (all standard users)
├── LIC-M365-E5-Security      (SOC, IT security, privileged admins)
├── LIC-M365-E5-Compliance    (compliance officers, legal, DPO)
├── LIC-AddOn-TeamsPhone       (users requiring PSTN calling)
├── LIC-AddOn-EntraP2          (PIM users on E3 who need P2)
├── LIC-AddOn-PowerBI          (Power BI Pro users on E3)
├── LIC-AddOn-Copilot          (Copilot rollout cohort)
└── LIC-AddOn-IntuneSuite      (advanced device management)

Critical constraint: A user assigned E3 via LIC-M365-E3-Base who also receives E5 via LIC-M365-E5-Security will be double-licensed. The correct pattern is mutually exclusive groups with dynamic membership rules.

# Dynamic membership rule for E3 base group (Entra ID rule syntax)
# All enabled users NOT in the E5 security or compliance groups
(user.accountEnabled -eq true) and (user.department -ne "IT Security") and (user.department -ne "Compliance") and (user.department -ne "SOC")

# Dynamic membership rule for E5 security group (Entra ID rule syntax)
(user.accountEnabled -eq true) and ((user.department -eq "IT Security") or (user.department -eq "SOC")) and ((user.jobTitle -match "Engineer") or (user.jobTitle -match "Analyst") or (user.jobTitle -match "Architect") or (user.jobTitle -match "Manager"))

GBL handles the assignment automatically. When a user's department attribute changes (because they moved to the security team, for instance), the dynamic group membership updates and the licence follows. No manual intervention required.

Microsoft supports nested groups for GBL but warns against more than two levels of nesting for licensing purposes. Keep your group hierarchy flat.

Scripts: Analysing Your Own Tenant

These scripts build on the licensing audit foundation. Run the audit first to establish your baseline, then use these to model the optimisation.

Analyse E5 Feature Usage Per User

This script checks which E5-exclusive service plans are enabled on each E5 user and cross-references against actual workload activity.

Connect-MgGraph -Scopes "User.Read.All","Directory.Read.All","AuditLog.Read.All","Reports.Read.All","Organization.Read.All"
 
# E5-exclusive service plan GUIDs
# Validate against your tenant before production use:
#   Get-MgSubscribedSku | Select-Object -ExpandProperty ServicePlans | Sort-Object ServicePlanName
# Microsoft occasionally changes plan GUIDs between SKU versions.
$e5ServicePlans = @{
    "8e0c0a52-6a6c-4d40-8370-dd62790dcd70" = "Defender for Office 365 P2"
    "871d91ec-ec1a-452b-a83f-bd76c7d770ef" = "Defender for Endpoint P2"
    "eec0eb4f-6444-4f95-aba0-50c24d67f998" = "Entra ID P2"
    "2f442157-a11c-46b9-ae5b-6e39ff4e5849" = "Audit Premium"
    "b1188c4c-1b36-4018-b48b-ee07604f6feb" = "Insider Risk Management"
    "41781fb2-bc02-4b7c-bd55-b576c07bb09d" = "eDiscovery Premium"
    "4828c8ec-dc2e-4779-b502-87ac9ce28ab7" = "Power BI Pro"
    "57ff2da0-773e-42df-b2af-ffb7a2317929" = "Teams Phone System"
}
 
# Resolve E5 SKU IDs
# SPE_E5 = M365 E5 (unified), ENTERPRISEPREMIUM = legacy O365 E5
# Add your tenant's E5 variants here if needed (e.g. M365EDU_A5_FACULTY)
$skus = Get-MgSubscribedSku -All
$e5SkuIds = ($skus | Where-Object {
    $_.SkuPartNumber -in @("SPE_E5", "ENTERPRISEPREMIUM")
}).SkuId
 
if (-not $e5SkuIds) {
    Write-Warning "No E5 SKUs found in tenant. Check Get-MgSubscribedSku output."
    return
}
 
# Get all users with licence details
$users = Get-MgUser -All -Property "Id,DisplayName,UserPrincipalName,AssignedLicenses,SignInActivity,Department" `
    -ConsistencyLevel eventual
 
# Filter to E5 users
$e5Users = $users | Where-Object {
    ($_.AssignedLicenses.SkuId | Where-Object { $_ -in $e5SkuIds } | Measure-Object).Count -gt 0
}
 
# Pull 90-day usage report
$usagePath = "$env:TEMP\M365Usage_E5.csv"
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D90')" `
    -OutputFilePath $usagePath
$usageData = Import-Csv $usagePath
 
$results = foreach ($user in $e5Users) {
    $licence = $user.AssignedLicenses | Where-Object { $_.SkuId -in $e5SkuIds } | Select-Object -First 1
    if (-not $licence) { continue }
 
    # Count enabled E5 service plans
    $enabledCount = 0
    foreach ($planId in $e5ServicePlans.Keys) {
        if ($licence.DisabledPlans -notcontains $planId) { $enabledCount++ }
    }
 
    $lastSignIn = $user.SignInActivity.LastSignInDateTime
    $daysSinceSignIn = if ($lastSignIn) {
        [math]::Round(((Get-Date) - [datetime]$lastSignIn).TotalDays, 0)
    } else { 9999 }
 
    $activity = $usageData | Where-Object { $_.'User Principal Name' -eq $user.UserPrincipalName }
 
    [PSCustomObject]@{
        UPN                = $user.UserPrincipalName
        DisplayName        = $user.DisplayName
        Department         = $user.Department
        DaysSinceSignIn    = $daysSinceSignIn
        EnabledE5Plans     = $enabledCount
        ExchangeActive     = $activity.'Exchange Last Activity Date'
        TeamsActive        = $activity.'Teams Last Activity Date'
    }
}
 
$results | Export-Csv "$env:TEMP\E5FeatureUsage.csv" -NoTypeInformation
Write-Host "E5 users analysed: $($results.Count)"
$results | Group-Object EnabledE5Plans | Sort-Object { [int]$_.Name } |
    ForEach-Object { Write-Host "  $($_.Name) E5 plans enabled: $($_.Count) users" }

Identify Downgrade Candidates

Users with fewer than two E5 service plans enabled, or who have not signed in for 90+ days, are candidates for E3 downgrade.

param(
    [string]$ReportPath = "$env:TEMP\E5FeatureUsage.csv",
    [int]$MinE5Plans = 2,
    [int]$InactiveDays = 90
)
 
$e5Users = Import-Csv $ReportPath
 
$candidates = $e5Users | Where-Object {
    [int]$_.DaysSinceSignIn -ge $InactiveDays -or
    [int]$_.EnabledE5Plans -lt $MinE5Plans
} | Select-Object UPN, DisplayName, Department, DaysSinceSignIn, EnabledE5Plans,
    @{N="Reason"; E={
        $reasons = @()
        if ([int]$_.DaysSinceSignIn -ge $InactiveDays) {
            $reasons += "Inactive ($($_.DaysSinceSignIn) days)"
        }
        if ([int]$_.EnabledE5Plans -lt $MinE5Plans) {
            $reasons += "Only $($_.EnabledE5Plans) E5 plan(s) enabled"
        }
        $reasons -join "; "
    }}
 
$monthlySaving = $candidates.Count * 16.60
Write-Host "Downgrade candidates: $($candidates.Count) of $($e5Users.Count) E5 users"
Write-Host "Estimated monthly saving: £$('{0:N0}' -f $monthlySaving)"
Write-Host "Estimated annual saving:  £$('{0:N0}' -f ($monthlySaving * 12))"
 
$candidates | Export-Csv "$env:TEMP\E5DowngradeCandidates.csv" -NoTypeInformation
$candidates | Sort-Object { [int]$_.EnabledE5Plans } |
    Format-Table UPN, Department, DaysSinceSignIn, EnabledE5Plans, Reason -AutoSize

Model the Optimised Spend

This script produces the executive comparison: current state vs. all-E5 vs. optimised mix.

param(
    [int]$TotalUsers        = 1000,
    [int]$CurrentE5Users    = 600,
    [int]$GenuineE5Need     = 200,
    [int]$VoiceUsers        = 350,
    [int]$PowerBiUsers      = 150,
    [int]$CopilotUsers      = 100,
    [decimal]$E3Price       = 28.40,
    [decimal]$E5Price       = 45.00,
    [decimal]$EntraP2Price  = 7.20,
    [decimal]$MDEPrice      = 4.50,
    [decimal]$PhonePrice    = 7.40,
    [decimal]$PowerBiPrice  = 7.50,
    [decimal]$CopilotPrice  = 25.00
)
 
$currentE3 = $TotalUsers - $CurrentE5Users
$optimisedE3 = $TotalUsers - $GenuineE5Need
 
# Scenario A: Current state
$currentSpend = ($CurrentE5Users * $E5Price) + ($currentE3 * $E3Price) + ($CopilotUsers * $CopilotPrice)
 
# Scenario B: All E5
$allE5Spend = ($TotalUsers * $E5Price) + ($CopilotUsers * $CopilotPrice)
 
# Scenario C: Optimised mix
$optimisedSpend =
    ($GenuineE5Need * $E5Price) +
    ($optimisedE3 * $E3Price) +
    ($optimisedE3 * $EntraP2Price) +          # Entra P2 for all E3 users
    ($optimisedE3 * $MDEPrice) +              # MDE P2 for all E3 users
    # Voice/BI: assumes E5 users absorb these needs first. Adjust if your
    # E5 cohort (e.g. security team) does not overlap with voice/BI users.
    ([math]::Max(0, $VoiceUsers - $GenuineE5Need) * $PhonePrice) +
    ([math]::Max(0, $PowerBiUsers - $GenuineE5Need) * $PowerBiPrice) +
    ($CopilotUsers * $CopilotPrice)
 
Write-Host "`n=== M365 Licence Spend Comparison ($TotalUsers users) ==="
Write-Host ("{0,-35} {1,15} {2,15}" -f "Scenario", "Monthly", "Annual")
Write-Host ("{0,-35} {1,15} {2,15}" -f "Current state", "£$('{0:N0}' -f $currentSpend)", "£$('{0:N0}' -f ($currentSpend * 12))")
Write-Host ("{0,-35} {1,15} {2,15}" -f "All E5", "£$('{0:N0}' -f $allE5Spend)", "£$('{0:N0}' -f ($allE5Spend * 12))")
Write-Host ("{0,-35} {1,15} {2,15}" -f "Optimised E3 + add-ons", "£$('{0:N0}' -f $optimisedSpend)", "£$('{0:N0}' -f ($optimisedSpend * 12))")
Write-Host ""
 
$savingVsCurrent = ($currentSpend - $optimisedSpend) * 12
$savingVsAllE5 = ($allE5Spend - $optimisedSpend) * 12
Write-Host "Annual saving vs current:  £$('{0:N0}' -f $savingVsCurrent)"
Write-Host "Annual saving vs all-E5:   £$('{0:N0}' -f $savingVsAllE5)"

Optimising Your M365 Licensing: Next Steps

If you have not already run a licence audit to establish your baseline, do that first. The licensing audit post gives you the scripts and methodology. You cannot optimise what you have not measured.

From there:

1. Identify your E5 feature usage. Use the scripts above to determine which E5 service plans each user actually has enabled. The gap between "assigned" and "used" is where the savings live.

2. Map your compliance obligations. The decision matrix above gives you the framework. If you are FCA-regulated or handling controlled data under NIST, E5 Compliance coverage may be non-negotiable for your in-scope users. For Cyber Essentials Plus or ISO 27001, E3 with targeted add-ons is typically sufficient. Document the mapping between your compliance requirements and the specific Purview features that satisfy them.

3. Build the business case. The spend comparison script produces numbers you can hand to finance. Frame it as risk-neutral cost optimisation: every user still gets the capabilities they need, but you stop paying for capabilities they do not use.

4. Implement group-based licensing. Move from direct assignment to the group structure outlined above. This is a prerequisite for sustainable mixed licensing. Direct assignment at scale guarantees drift.

5. Review quarterly. Licensing needs change as compliance requirements evolve, new users join, and Microsoft adjusts its feature bundles. Build the analysis scripts into a quarterly review cycle. The tenant health audit post covers how to automate ongoing governance checks.

The Bottom Line

E5 is a premium product that delivers genuine value for users who need its advanced security, compliance, and voice capabilities. The problem is not E5 itself. The problem is deploying it to every user without analysing who actually needs what.

For most organisations, the optimal licensing strategy is a mixed model: E5 for the 15-25% of users who genuinely need three or more E5-exclusive feature areas, E3 with targeted add-ons for everyone else, and group-based licensing to keep it maintainable.

The scripts in this post give you the data to make that case. The breakpoint formula gives you the framework to evaluate it. And the group-based licensing pattern gives you the implementation path.

Stop buying four-bedroom houses for people who live alone.